components-sanitizers.sh (9601B)
1 # components-sanitizers.sh 2 # 3 # Copyright The Mbed TLS Contributors 4 # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 5 6 # This file contains test components that are executed by all.sh 7 8 ################################################################ 9 #### Sanitizer Testing 10 ################################################################ 11 12 skip_suites_without_constant_flow () { 13 # Skip the test suites that don't have any constant-flow annotations. 14 # This will need to be adjusted if we ever start declaring things as 15 # secret from macros or functions inside framework/tests/include or framework/tests/src. 16 SKIP_TEST_SUITES=$( 17 git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' | 18 sed 's/test_suite_//; s/\.function$//' | 19 tr '\n' ,) 20 export SKIP_TEST_SUITES 21 } 22 23 skip_all_except_given_suite () { 24 # Skip all but the given test suite 25 SKIP_TEST_SUITES=$( 26 ls -1 tests/suites/test_suite_*.function | 27 grep -v $1.function | 28 sed 's/tests.suites.test_suite_//; s/\.function$//' | 29 tr '\n' ,) 30 export SKIP_TEST_SUITES 31 } 32 33 component_test_memsan_constant_flow () { 34 # This tests both (1) accesses to undefined memory, and (2) branches or 35 # memory access depending on secret values. To distinguish between those: 36 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? 37 # - or alternatively, change the build type to MemSanDbg, which enables 38 # origin tracking and nicer stack traces (which are useful for debugging 39 # anyway), and check if the origin was TEST_CF_SECRET() or something else. 40 msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" 41 scripts/config.py full 42 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN 43 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 44 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 45 scripts/config.py unset MBEDTLS_HAVE_ASM 46 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 47 make 48 49 msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)" 50 make test 51 } 52 53 component_test_memsan_constant_flow_psa () { 54 # This tests both (1) accesses to undefined memory, and (2) branches or 55 # memory access depending on secret values. To distinguish between those: 56 # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? 57 # - or alternatively, change the build type to MemSanDbg, which enables 58 # origin tracking and nicer stack traces (which are useful for debugging 59 # anyway), and check if the origin was TEST_CF_SECRET() or something else. 60 msg "build: cmake MSan (clang), full config with constant flow testing" 61 scripts/config.py full 62 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN 63 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 64 scripts/config.py unset MBEDTLS_HAVE_ASM 65 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 66 make 67 68 msg "test: main suites (Msan + constant flow)" 69 make test 70 } 71 72 component_release_test_valgrind_constant_flow () { 73 # This tests both (1) everything that valgrind's memcheck usually checks 74 # (heap buffer overflows, use of uninitialized memory, use-after-free, 75 # etc.) and (2) branches or memory access depending on secret values, 76 # which will be reported as uninitialized memory. To distinguish between 77 # secret and actually uninitialized: 78 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? 79 # - or alternatively, build with debug info and manually run the offending 80 # test suite with valgrind --track-origins=yes, then check if the origin 81 # was TEST_CF_SECRET() or something else. 82 msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" 83 scripts/config.py full 84 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND 85 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 86 skip_suites_without_constant_flow 87 cmake -D CMAKE_BUILD_TYPE:String=Release . 88 make 89 90 # this only shows a summary of the results (how many of each type) 91 # details are left in Testing/<date>/DynamicAnalysis.xml 92 msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" 93 make memcheck 94 95 # Test asm path in constant time module - by default, it will test the plain C 96 # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s) 97 msg "test: valgrind asm constant_time" 98 skip_all_except_given_suite test_suite_constant_time 99 cmake -D CMAKE_BUILD_TYPE:String=Release . 100 make clean 101 make 102 make memcheck 103 } 104 105 component_release_test_valgrind_constant_flow_no_asm () { 106 # This tests both (1) everything that valgrind's memcheck usually checks 107 # (heap buffer overflows, use of uninitialized memory, use-after-free, 108 # etc.) and (2) branches or memory access depending on secret values, 109 # which will be reported as uninitialized memory. To distinguish between 110 # secret and actually uninitialized: 111 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? 112 # - or alternatively, build with debug info and manually run the offending 113 # test suite with valgrind --track-origins=yes, then check if the origin 114 # was TEST_CF_SECRET() or something else. 115 msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM with constant flow testing" 116 scripts/config.py full 117 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND 118 scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO 119 scripts/config.py unset MBEDTLS_AESNI_C 120 scripts/config.py unset MBEDTLS_HAVE_ASM 121 skip_suites_without_constant_flow 122 cmake -D CMAKE_BUILD_TYPE:String=Release . 123 make 124 125 # this only shows a summary of the results (how many of each type) 126 # details are left in Testing/<date>/DynamicAnalysis.xml 127 msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM, valgrind + constant flow)" 128 make memcheck 129 } 130 131 component_release_test_valgrind_constant_flow_psa () { 132 # This tests both (1) everything that valgrind's memcheck usually checks 133 # (heap buffer overflows, use of uninitialized memory, use-after-free, 134 # etc.) and (2) branches or memory access depending on secret values, 135 # which will be reported as uninitialized memory. To distinguish between 136 # secret and actually uninitialized: 137 # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? 138 # - or alternatively, build with debug info and manually run the offending 139 # test suite with valgrind --track-origins=yes, then check if the origin 140 # was TEST_CF_SECRET() or something else. 141 msg "build: cmake release GCC, full config with constant flow testing" 142 scripts/config.py full 143 scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND 144 skip_suites_without_constant_flow 145 cmake -D CMAKE_BUILD_TYPE:String=Release . 146 make 147 148 # this only shows a summary of the results (how many of each type) 149 # details are left in Testing/<date>/DynamicAnalysis.xml 150 msg "test: some suites (valgrind + constant flow)" 151 make memcheck 152 } 153 154 component_test_tsan () { 155 msg "build: TSan (clang)" 156 scripts/config.py full 157 scripts/config.py set MBEDTLS_THREADING_C 158 scripts/config.py set MBEDTLS_THREADING_PTHREAD 159 # Self-tests do not currently use multiple threads. 160 scripts/config.py unset MBEDTLS_SELF_TEST 161 162 # The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe. 163 scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C 164 165 CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan . 166 make 167 168 msg "test: main suites (TSan)" 169 make test 170 } 171 172 component_test_memsan () { 173 msg "build: MSan (clang)" # ~ 1 min 20s 174 scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm 175 scripts/config.py unset MBEDTLS_HAVE_ASM 176 CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . 177 make 178 179 msg "test: main suites (MSan)" # ~ 10s 180 make test 181 182 msg "test: metatests (MSan)" 183 tests/scripts/run-metatests.sh any msan 184 185 msg "program demos (MSan)" # ~20s 186 tests/scripts/run_demos.py 187 188 msg "test: ssl-opt.sh (MSan)" # ~ 1 min 189 tests/ssl-opt.sh 190 191 # Optional part(s) 192 193 if [ "$MEMORY" -gt 0 ]; then 194 msg "test: compat.sh (MSan)" # ~ 6 min 20s 195 tests/compat.sh 196 fi 197 } 198 199 component_release_test_valgrind () { 200 msg "build: Release (clang)" 201 # default config, in particular without MBEDTLS_USE_PSA_CRYPTO 202 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . 203 make 204 205 msg "test: main suites, Valgrind (default config)" 206 make memcheck 207 208 # Optional parts (slow; currently broken on OS X because programs don't 209 # seem to receive signals under valgrind on OS X). 210 # These optional parts don't run on the CI. 211 if [ "$MEMORY" -gt 0 ]; then 212 msg "test: ssl-opt.sh --memcheck (default config)" 213 tests/ssl-opt.sh --memcheck 214 fi 215 216 if [ "$MEMORY" -gt 1 ]; then 217 msg "test: compat.sh --memcheck (default config)" 218 tests/compat.sh --memcheck 219 fi 220 221 if [ "$MEMORY" -gt 0 ]; then 222 msg "test: context-info.sh --memcheck (default config)" 223 tests/context-info.sh --memcheck 224 fi 225 } 226 227 component_release_test_valgrind_psa () { 228 msg "build: Release, full (clang)" 229 # full config, in particular with MBEDTLS_USE_PSA_CRYPTO 230 scripts/config.py full 231 CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . 232 make 233 234 msg "test: main suites, Valgrind (full config)" 235 make memcheck 236 }